How do you trust that your personal machine is not compromised?

ex-AOSP dev here

Android and ChromiumOS are likely the most trustable computing platforms out there; doubly so for Android running on Pixels. If you don't prefer the ROM Google ships with, you can flash GrapheneOS or CalyxOS and relock the bootloader.

Pixels have several protections in place:

- Hardware root of trust: This is the anchor on which the entire TCB (trusted computing base) is built.

- Cryptographic verification (verified boot) of all the bootloaders (IPL, SPL), the kernels (Linux and LittleKernel), and the device tree.

- Integrity verification (dm-verity) of the contents of the ROM (/system partition which contains privileged OEM software).

- File-based Encryption (fscrypt) of user data (/data partition where installed apps and data go) and adopted external storage (/sdcard); decrypted only with user credentials.

- Running blobs traditionally run in higher exception levels (like ARM EL2) in a restricted, mutually untrusted VM.

- Continued modularization of core ROM components so that they could be updated just like any other Android app, ie without having to update the entire OS.

- Heavily sandboxed userspace, where each app has very limited view of the rest of the system, typically gated by Android-enforced permissions, seccomp filters, selinux policies, posix ACLs, and linux capabilities.

- Private Compute Core for PII (personally identifiable information) workloads. And Trusty Execution Environment for high-trust workloads.

This is not to say Android is without exploits, but it seems it is most further ahead of the mainstream OSes. This is not a particularly high bar because of closed-source firmware and baseband, but this ties in generally with the need to trust the hardware vendors themselves (see point #1).

Great question. I don't anymore. Decades ago when I had a 286 and knew what each file did and what all the software was, and threats were limited and crude, I had good confidence of controlling my machine. Today, when my laptop has millions of files and each website - even hacker news - could inject something malicious and my surface is so broad (browsers applications extensions libraries everything) and virtually anything I do involves network connections... I just don't have the confidence.

FWIW, I try to segregate my machines for different categories of behaviour - this laptop is for work, this one is for photos and personal documents, this one is for porn, this one is if I want to try something. But even still my trust in e. G. software vlan on my router and access controls on my NAS etc are limited in this day and age.

I feel today it's not about striving for zero risk (for 99.99 of people) , but picking the ratio of overhead and risk you're ok with. And backups. (bonus question - how to make backups safe in age of encrypting ransom ware).

Here's a short, fairly practical guide that you might find helpful: https://www.ncsc.gov.uk/files/Cyber-Essentials-Requirements-.... It is aimed mostly at small businesses, but I find a lot of the guidance to be pretty relevant to my personal IT.

My even shorter (and incomplete) summary of the document would be: configure your router and firewall; remove default passwords and crapware from your devices; use a lock screen; don't run as root; use a password manager and decent passwords; enable 2FA everywhere you can; enable anti-malware if your OS has it built it; don't run software from untrusted sources; patch regularly.

There are also other controls that you can choose to impose on yourself. For example, I require full-disk encryption, and I will only use mobile devices which get regular updates. Would be interested in hearing other things that HN'ers do to limit risk.

Bios? I'm not sure I can ever be certain.

For the rest, I run a pretty esoteric setup (compiled-from-source custom configured linux kernel with no binary blobs; all software compiled from source, with no exceptions; aggressive, burdonsome-to-me privilege separation; chroots and VMs for various degrees of potential threat; etc). I have no illusions that it is perfectly safe. What I am comfortable with is that, in order to compromise me, you would have to know a lot about what I run and how I run it. I believe that I would have to be nearly individually targeted to extract any useful data from my machine, and that I am not nearly a valuable enough target for anyone to do so. I think you would have to be a state-level actor or someone with similar capabilities to compromise me, and none of them would care enough.

My security paranoia stems from extremely sensitive work I did as a lawyer long ago, but I am now so used to it that I carry on as a scientist, even though my current work is not nearly so sensitive (if at all). I give up a lot of convenience and some functionality to operate this way, so it is not for everyone. I am not an adversary to anyone, so outside state actors surely don't care about me. And my own government can just get a warrant and knock on my door, so they don't care about me either.

Embedded device firmware besides the bios is probably my main vulnerability, but if you're successfully getting at me through my hard drives or mouse, then I was surely an incidental rather than actual target.

I assume it is, per Intel ME / AMD PSP's ability to read everything - memory, CPU registers, disk, inspect all network traffic, directly utilize onboard GbE for bidirectional communication.

For adversaries below the level of the US intelligence agencies, I run everything virtualized and compartmentalized with Qubes, the installation image for which I verified the dev-provided cryptographic signature matches. I try to rigorously avoid any software operated by Google, Amazon, Microsoft, Apple, Facebook, disable all JS by default in my LibreWolf browser, refuse to connect directly websites protected by cloudflare, audit source code for almost everything I run in userland, etc etc etc.

This is all for my personal machine. For work devices, I assume they're pwned even worse and I do nothing but actual work on them.

On the mobile side, GrapheneOS on a Pixel for my first phone, and a linux phone with hardware killswitches for bt/wifi, cam/mic, and baseband for my second phone.

All of this in addition to solid fundamentals like network traffic monitoring, very restrictive firewall, offline encrypted hardware password manager with no password reuse, etc.

Like others here are saying, you can never be 100% sure. But that doesn’t mean there’s nothing you can do.

If you’re worried about the impact to your broader organization (which is what most of the sophisticated threats tend to target), you should think about risk mitigation through the Swiss Cheese defense model. Each system is inevitably going to have holes, but layering them on top of one another will incrementally improve your coverage.

For instance:

- Your team should be trained about phishing attacks. But inevitably some will get through, so…

- You should implement 2FA in case a password is compromised. But a threat actor may be able to capture a 2FA-passed SSO session token, so…

- Production access should be limited to a small number of individuals. But even they might get compromised, so…

- You should programmatically rotate credentials to make old leaked credentials useless. But a newer one might be captured, so…

- Data should be sufficiently encrypted at rest and in transit, and…

- Your team should have an incident management system and culture in place to quickly respond to customer reported incidents and escalate it to the right level and…

- Audit logs should be tracked to understand the blast radius in case of compromise - and so forth

When you look at incidents like CircleCI and LastPass, a good security organization will understand that there was more than just one point of failure and should talk in detail about how they are shoring up each level.

You really can't, anymore. You can watch traffic and hope that anything nasty isn't communicating with the outside world, but then there's all sorts of side channels that you may not know to watch.

At some point you just have to admit there's limits to privacy and work with them. You paper journal could be stolen and read / rewritten too, yaknow? It's not a new problem, its just in a new context.

I only have limited trust. Between 3D printing slicers from Chinese companies, many packages from PyPI and Rust crates, there is always a danger that something is compromised somewhere.

I try to limit attack surface in the following ways:

- I only use M1 Macs as desktops. This reduces attack service in various ways. M1 Macs do not have anything like UEFI firmware, it all starts from the iBoot ROM and the whole chain is verified with signatures. The OS is on a sealed system Volume that is read-only and signed. Altogether, this limit firmware/OS attacks.

- I use a U2F key and/or the Secure Enclave of the Mac for credentials (SSH keys, 2FA). They are set up to require user confirmation.

- When possible, I will install applications from the Mac App Store, since they are sandboxed by default.

- I use separate work and private Macs.

- I clean and factory restore my Macs every few months.

- I use some tools like Knock Knock to see if there is anything suspicious.

Compromise is obviously possible, but I try to push it into 'mostly state actor' territory, because I am not interesting to most state actors.

I run QubesOS which compartmentalizes your usb ports, network card, and all your various application workflows into separate virtual machines. It is literally designed to protect you even if part of your system is compromised.

https://www.qubes-os.org/intro/

For details on how I use Qubes specifically see: https://github.com/hashbang/book/blob/master/content/docs/se...

I don’t have ultimate trust in any software or hardware, but I get to “good enough” by deciding which providers I trust:

* Software: Canonical, Google, Microsoft, Valve, Oracle, Dropbox. I install software from their official repos and keep it up to date. Anything 3rd-party/unofficial/experimental/GitHub goes in a VM.

* Hardware: I built my main PC from mainstream commodity components. I have no way of knowing if there are secret backdoors but I consider it unlikely.

I use a password manager, I enable 2FA, I turn off things I don't use, and generally have a low-risk hygienic approach to computing.

I’m also privileged enough to not be a “person of interest” so don’t feel the need to take any extraordinary precautions.

Yes, I’m aware of VM escapes. Yes, I’ve read Reflections on Trusting Trust. I choose to trust regardless because life’s too short for paranoia. As Frank Drebin said:

“You take a chance getting up in the morning, crossing the street, or sticking your face in a fan.”

I have several layers of security, including an infosec mindset that comes naturally, but at the end of the day I don't really know. I have faith that if I were to be infected statistically it would be by some malware that would give itself away by mining crypto or doing something else very loud and disruptive.

Fun story but my laptop was actually hacked remotely once, without me knowing.

It was almost 20 years ago, some would call me a script kiddie. Just trying to be bad ass, trying to live the movie Hackers. Had a stolen laptop running FreeBSD, with a wicked bootsplash just like the kids in the movie.

So you can imagine I was moving with the wrong crowds online, having little defacing wars with other groups and shit like that. Caught the wrong kind of attention.

I say that infosec comes naturally to me now but pobody's nerfect and back then I had re-used a password in a weakly encrypted service database, someone hacked this service, found my password, found my ssh logins to the servers, and traced backwards to my laptop.

I don't remember the details but somehow working back from one server, perhaps to another jumpserver, they were able to get the IP for my laptop and actually login to it.

Fortunately for me they didn't do anything but gather data, they posted this on a wall of shame saying "another hacker down". I say fortunately for me because I had thousands of customer's data on that laptop, including CC#'s for the business I was running at the time. They missed all this, and the very next day I reinstalled my laptop and reset all passwords on pure coincidence. I had no idea I had been hacked, I just felt like reinstalling for some other reason.

Found their wall of shame posting later and felt very much ashamed.

This thread has inspired me to setup a tripwire for my workstation. It's something I used to use many years ago but I think it's a good setup to have some sort of alerting if files start changing.

The biggest thing is being deliberate about your threat model. Who would want to get onto your systems, and how much do they care about you in particular?

From there, take appropriate actions. For the vast, vast majority of us, that means using good passwords, updating software, and not running weird things from the internet.

If you’re worried about 0 click RCE in Chrome/Windows/iOS, you either should be getting better advice from folks outside of HN, or are being unrealistic about who is coming after you.

I worry so much more about the dumb hardware locks and secure enclaves, OS features etc. I find the risk of a compromised machine to be so much less of an impact on my life than my computer telling me I am not allowed to do something.

This is my computer, let me tell it what to do. I hate how much of my time is wasted by all this security stuff. Infinitely more so than had been wasted by actual malware over the last decade or so.

I don't want to have to spend 10hrs figuring out how to hide root from Android pay every time something upgrades. Please just let me have root on devices I own.

Ever since I started doing a lot of work in C where all the foot guns are intentionally left in I've had my eyes opened to how beautiful and fun computers can be when they aren't your fucking adversary.

"Security" that can't be disabled by the device owner is tyranny.

Before defining any strategy, you need to define an appropriate threat model. Which kind of information are you storing on your device and who can target you?

If you are a standard person and not doing any illegal, the information that you need to protect are mostly related to financial and personal standpoint. So you need to protect you bank/credit card/cryptowallet with encryption and/or MFA. For financial information, use the same criteria, according also to level of continentality that you want to achieve: it's stupid to encrypt your cat pictures, it may be worth to encrypt cipher your son pictures, it's mandatory to protect your health related files also with MFA. This is just to have an idea, you should make this exercise frequently (let's say every 6 months) and verify if the security controls are in place and have to be updated.

For my own devices, I am using this approach:

* Infrastructure: I am using a password manager with MFA for all my accounts and where is possible I have enabled MFA. I have Cloudflare ZT on my home network, so I am a bit protected against web threat. Moreover, I have a script that everyday download phishing and malicious feeds and update my router's ACLs. I am not exposing anything on public, all the services inside my house are accessible through VPN. My Chinese camera are heavy firewalled in a different VLAN and reachable only from specific host. Every device is upgraded to last version and no default passwords.

* Main laptop: is running Linux, so I am feeling a bit more safer during the web surfing. Anyway, I have an encrypted backup for important data over cloud, just to be ensure disaster recovery.

* Secondary laptop: is running Windows, I am keeping it regularly updated with scheduled MS Defender scans. My wife is mainly using it, but she is not installing anything without my approval (I am the admin of the laptop).

* Phone: Storage encrypted, access protected by strong PIN and no biometric. Applications are installed only from official stores and using a DNS blacklist. My phone has a native feature to reduce and auditing app permissions on a schedule and I am doing it by myself as well sometimes. In case I have to connect to an unencrypted public network, I am using a Wireguard VPN client.

Just my 2 cents, I hope to did not forget anything and be helpful.

Some OS mitigations:

  All: patch, encrypt, backup, track power, isolate workflow by device/VM
  Network: router with OSS firmware, workflow segmentation, reduce wireless
  iOS: (>A12 SoC) Lockdown mode, Brave w/o JS, daily reboot
  iOS: periodic reinstall from DFU mode, Apple Configurator / MDM policy
  macOS: hardening script based on workflow, outbound firewall
  Windows: Secured Core device + SystemGuard + App Guard VM isolation
  Windows: HP device + SureStart (f/w check) + SureClick (browser VMs)
  Linux: vPro device + QubesOS with Anti-Evil-Maid 
  Linux: generic device + non-persistent LiveCD OS image

> "Compromised" meaning that malware hasn't been installed or that it's not being accessed by malicious third parties. This could be at the BIOS, firmware, OS, app or any other other level.

I don't believe there is a way to be 100% certain, but if I had to go to a store and pick a new device with the lowest likelihood of being compromised, it would be a desktop, a laptop, or a tablet running ChromeOS[1].

[1] https://www.chromium.org/chromium-os/chromiumos-design-docs/...

If you're just a rando who isn't likely to get specific attention from someone like the NSA or other state-backed threat agents, then the answer is that if everything is behaving normally that you're not compromised. For the bulk of people if someone breaks into your personal device they're going to start using it for something. You'll see unusual utilization, your proxy settings on your browser will get changed, you'll just be hit by a ransomware attack and your drive will be encrypted and you'll be locked out, etc. They're after the bulk of the users out there and they don't need to be particularly stealthy about anything.

Of course if you have large quantities of BTC or something then the answer is to get it off of your personal machine and setup a cold wallet that cannot be hacked, and stop installing clever looking crypto shit on your machine.

Surprised not to see a mention of Talos II system based on IBM POWER9 technology that is open spec and otherwise a very competent build with fully open hardware FPGA mainboard and stuff like physical trip jumper protection, and potential for customised security measures via the BMC, Arctic Tern, et cetera. IBM is notoriously good at virtualisation, and POWER9 is very competent for machine learning workloads, the 2U and 4U systems they offer can go up something ridiculous like 176 threads in a two-socket configuration and there's plenty of lanes. You can reprogram the firmware, too; it's all out there in the open and you normally wouldn't need special hardware.

You can get one for not less than $5,500. https://www.raptorcs.com/content/TLSDS3/intro.html

"Ask HN: How do you trust that your personal machine is not compromised?"

The pivotal word in this question is "you". If you allow a third party, e.g., Google, Apple, Microsoft, a "Certificate Authority", etc., to decide "trust" on your behalf, then it is the third party that controls "trust", not "you".

A third party can tell "you" that "your personal machine" has or has not been "compromised". The third party can decide who to trust.

However, this is quite different than you deciding who to trust.

Under the trust models promoted by "tech" companies like the ones mentioned above, ultimately "you" are not supposed to be the one deciding trust. They want to do this for you.

Unfortunately, "tech" companies are themselves third parties and they may have commercial interests counter to yours.

Just some generic things that should help avoid or clean up after a compromise.

- clean reinstall every month, just pick a new flavor of Linux to try out. (also helps ensure I have proper backups and scripts for setting up environment)

- Dev work I usually do in docker containers, easy to set up/nuke environments.

- Open source router with open source bios (apu2), firewall on it, usually reinstall once in a while.

- Spin up VMs via scripts for anything else. (games - windows VM with passthrough GPU for example)

- automatic updates everywhere.

From a more security security research point-of-view, the paper “Bootstrapping Trust in Commodity Computers”[1] is a very good overview. Although it would necessitate a bit of an update for more recent developments with e.g. dm-verity etc.

[1] PDF: https://www.andrew.cmu.edu/user/bparno/papers/bootstrapping-...

You generally don’t. It all depends on your attack hypothesis. Are you a Mossad target or a non-Mossad target? The best you can do if you are a non-Mossad target is to anonymously/pseudonymously periodically purchase new hardware and do a fresh OS install. Be minimalistic. If you can’t trust your wifi-enabled printer, disable its wifi connectivity and use it only over USB. If you still can’t trust it, don’t use printers to begin with.

Security is at odds with usability, so you can't run critical apps on your personal machine. For me, stuff that needs to be secure, runs on a separate machine that has nothing else installed.

The Librem 14 has a neutered Intel chip (no ME) among other things. My favorite privacy/freedom-respecting laptop. https://shop.puri.sm/shop/librem-14/

I'm reasonably sure that my personal machine is less compromised than the average, but I can't and will never be able to ensure that it is not compromised because I have no way to know everything the machine trying to do. This remains true even when you have an entirely free and directly inspectable hardware; you simply have no knowledge and time to verify everything. Just keep a reasonable amount of precaution and skepticism.

Hopes and prayers?

I think its completely impossible to make sure your machine is not compromised. You can just take the best effort to keep it clean.

Try to use 2FA as much as possible. And try to shield the 2nd factor as good as possible from any connection to your other devices.

Are there any somewhat easy-to-use solutions to isolate a development environment? Preventing or at least decreasing the damage malicious packages could do? Like deleting files or uploading a private ssh key/keychain to a 3rd party server?

I was looking into things like GitHub Codespaces, I believe they're isolated per repository and integrated into VS Code, but I'd like something I could run on my machine or a server of mine.

I don't trust that my machines are not compromised.

All I can do is to start with a machine I believe to be "clean", and take measures to keep it that way (others have suggested suitable measures). But even a brand-new machine might have a compromised BIOS, or compromised firmware in some peripheral processor like the Wifi adaptor.

I don't know how to guarantee that a machine is "clean" to begin with, and I doubt anyone else does.

The same way you can't be sure that when you drive to work today you are not going to die, you can't be sure that your machine isn't compromised somewhere. That's just how reality is: safety is an illusion.

Like with driving, make an effort to lower the probability to wherever makes you comfortable, then just accept that there's a non-zero chance it wasn't good enough.

Perhaps it's because I have a cold right now, but I interpreted "personal machine" to mean my body. And what is meant by "trust?" The word is really synonymous with "faith". That's why the correct phrase is "trust and verify".

I understand that my "personal machine" - my body - is always compromised. I also have faith that no heinous actors are likely to try to compromise my body. But that is only because I am a nobody and have the good fortune to live in a safe place.

As for computers, I think the same logic applies. I have faith that no nefarious actors are striving to compromise my own machine specifically. But for many high-value targets, this would be a bad assumption. Witness the crypto thefts that have occurred by hacking individual's computers.

I am no expert in counter ciber espionage, but my understanding is that it boils down to a) reducing attach surface, b) using trusted hardware, and c) using ephemeral "machines".

You don't. Treat your personal machine(s) as compromised by default and take it from there.

Any way to actually monitor traffic at the PC or network level for an individual user? I see a lot of odd behavior by TVs, IOT devices, connected bulbs and such. None of them seem necessary to me. I feel windows could do a lot better with reporting or allowing users to clearly see what is communicating across the network currently.

The reality is that you cannot trust that your machines are not compromised.

The only option we are left with is to operate under the assumption that, indeed, our machines are permanently compromised.

"Assume breach" was the phrase they taught us at Microsoft (at least in 2016). I assume everything is compromised. So I make public and distribute/decentralize as much as possible.

I #BuildInPublic as much as possible on GitHub and GitLab and dedicate everything to public domain (http://pledge.pub/).

I have a number of computers and can be up and running on a new Macbook in under an hour.

I run multiple mirrored web sites.

I distribute crypto keys across ledgers and safety deposit boxes in multiple states.

Most importantly: I don't pay for insurance (except for mandated auto and homeowners). Instead, everyday I go out there and try to deliver as much good to as many people as possible, knowing that the best insurance when bad luck strikes isn't some check from some corporation, but the helping hands from your fellow neighbors.

I protect my machine from as many commercial interests as I can. This removes a whole class of issues.

For the rest, the thing is so complicated nowadays I can't really say anymore.

I spent my youth on 8 bit machines. At that time I was 100% certain there was no compromise. But nowadays,...

Never allow a company or government to install known and unknown software that spies on you. This means Microsoft, Google, Facebook, Apple, etc.

Nobody cares enough about me to target me, and I don't run Windows. That excludes like 99.99% of possibilities.

Android, on the other hand... I have installed apps I didn't know much about, and that store is full of malware, so I have no idea.

Simple: I don't.

It is most likely compromised and I behave accordingly.

I daily drive an m1 mac. I cant even change the initial boot screen wallpaper because it’s on a sealed partition. The previous intel/T2 approach of modifying then blessing the modified partition doesn’t work on m1. When i dug into the depths of this simple problem (changing boot screen wallpaper before login) i came away impressed.

So I feel fairly confident about the machine firmware & OS. Less so about my keyboard for example. Also because i opt out of a lot of the securities (e.g. i download from homebrew rather than using app store apps), I can’t be sure i’m not being compromised.

Keep it air gapped, only way to be sure!

Only half kidding, unfortunately.

Noone has drained my crypto from my wallets yet.

So either my personal machine is not compromised, or they think the amount of crypto in the wallets is too low.

Jokes on them though, cause I am moving my crypto to a hardware wallet eventually

Reminds me of the time I was watching a creepypasta horror movie about some guy who gets strange phone calls and my phone rang.

I think this guy had gotten my phone number from my HN profile and he thought I might be able to help him. He thought his android phone was infected by malware and he knew who did it. I told him the people who repair cell phones at the mall could do a system reset on his phone…. Unless he was dealing with state-level actors in which case it might be an advanced persistent threat and it might be permanent.

I don't. Every now and then I access gross stuff online to make uncle FBI or cousins Hacker man puke their meals and lose the will to snoop on my boring Facebook account.

And since the video card is old and internet is spotty, brother Bitcoin miner and ransomware delivery man won't have much to win either.

The rest of automated attacks have to go through basic PC os protection (firewall, antivirus, hardware locks for unwanted code execution, etc).

It's the digital equivalent of "in god we trust"

My threat profile doesn't include Mossad or NKVD, if they are out to get me then I accept that they will. Especially at the BIOS/firmware/other levels.

For some excellent advice on security and privacy based on thoroughly researched technical concerns rather than speculation or blind trust in any particular organization (e.g. Apple or Google or Mozilla), see here: https://madaidans-insecurities.github.io/ I found the Android and Firefox/Chromium evaluations particularly interesting.

You should assume all devices are compromised

I believe my most vulnerable environment is the development environment. 3rd party code being updated almost constantly combined with fairly standardized cli to cloud environments (kubectl, az/aws/Heroku, gh, etc.

And I don’t just have to be vigilant about what I do, but also about what my team has done. It terrifies me, and it’s a sad reality that my personal risk is reduced by the fact that if I fall victim, countless other teams will as well.

First, take a deep breath.

Second, unless you're in a situation where you've pissed off/threatened some rather large actors, you should be fine assuming you follow best practices for backup, software, update and password management and you avoid using things like cheap IoT devices to connect to your cloud services.

Third, when disaster strikes, keep calm, rely on backups, change affected passwords and notify others who might get affected.

I use a OS from a vendor not obsessed with usage monetization nor any kind of "phone home" functionality.

I consider internet browsers to be a be a major backdoor risk and thus have none installed on my host OS. I only browse interwebs from VMs.

I don't trust my home network the same as I wouldn't trust an open public WiFi.

I don't assume everything is as secure as it could be and am taking redundant steps to ensure certain stuff.

Can You Trust Your Computer? https://www.gnu.org/philosophy/can-you-trust.en.html

Eben Moglen: The alternate net we need, and how we can build it ourselves:

https://www.youtube.com/watch?v=gORNmfpD0ak&t=2s

I don’t. I assume all devices are potentially compromised and I shift my risk to others as much as possible - credit card fraud protection, etc.

I actually don’t really trust my Linux and macOS laptops. I put no sensitive information in them, just what I need to write software or build models.

I do trust iOS and iPadOS in Lockdown Mode, and I avoid installing apps, usually preferring web apps.

I have a Chromebook and I also trust that.

In all cases, I don’t wait to install available system updates - that might not be the best strategy, but that is how I do it.

I've taken steps to secure my Linux:

* Using Yubikey PAM always as a 2FA for ssh,sudo (also on every Linux in my home network).

* Always require authentication on each sudo command (prevents escalating once and then reusing privileges).

* Only running Docker with sudo as recommended (requires 2FA now).

* Closing all traffic other than services I need with nftables.

Regularly look at the journalctl for suspicious activity.

I use Windows as my main OS. In Windows 10 and 11, there is a feature called Unified Write Filter that essentially resets your computer after every reboot.

When I first got my laptop, I installed a fresh copy of Windows 10, installed all my commonly used applications, configured all my settings, and then enabled UWF. On every reboot, it goes back to this clean snapshot, no matter what I do - And reboots are quick too (~10 seconds).

I'm never worried about making changes to my laptop to try them out (installing a new program, configuring obscure settings, etc). If I don't like it, I can get back to my clean state with a simple reboot.

Still vulnerable to BIOS-level malware though, I suppose.

(Note: I repeated most of this from a previous hackernews comment of mine)

https://news.ycombinator.com/item?id=29374928

You can play with this in that situation. I assume all my cloud and local data is and just keep that in mind. But I also assume there's layers of access... so not everyone who can access it, has access to every part of it. One group maybe can access DNS queries; one group can access cellphone metadata and SMS; one group maybe can access unencrypted iCloud/Google/OneDrive data; one group needs warrants to access and creates lies to fraudulently obtain/fake-justify those; some other group doesn't need warrants and just has access, either through agreement or covert access.

Once Advanced Data Protection switches on globally "in early 2023" I'll have another compartment. But I assume that someone can access basically everything. You can have fun with it.

I also think what's happening on my devices is some of the least interesting parts of life, so, yeah, there's that, too. :)

Keep a modest Bitcoin wallet canary on the computer and run an activity alert from elsewhere. If I'm compromised one of the first things they'll do is steal that money. It's not perfect but it's a data point that gives me some confidence I haven't been compromised by a petty thief.

For malware that was downloaded through activity, even if it required no clicks, they usually present themselves as slower performance or other quirks. Maybe one has eluded discovery but I'd never know.

I'm much more wary of systemic malware at lower levels that I don't have an opportunity to detect. There's not so much I can do about that other than try to use devices from vendors I trust (or distrust less) that have the least preinstalled software. Lobbying for open firmware or hardware is the long-term strategy.

I also use multiple machines: work, personal, gaming, and utility (Surface Go). E.g. I use the mouse configuration software on the Surface Go and only the mouse hardware with its configured profile on the other machines.

Ultimately I can't know I'm not compromised but don't lose sleep over something I don't have more control over.

The real question here: does it even matter?

As far as I know I did everything right, and someone called my bank with info we both believe they got from stealing from my paper mail and got access because they convinced some human at a bank's call center they were me.

Don't make it easy for people (rng passwords + password manager, 2fa, don't run as su, whole disk encryption, don't leave you computer unlocked, don't log into your bank on rando computers you don't control, don't use untrusted wifi). However, assume you already are compromised and will have to deal with it some day.

Once you think that way, you don't need to stress that much about getting the perfect hardware solution or being super paranoid - buy a device you like, and enjoy you digital life. Stuff happens sometimes and if it does you can deal with it ¯\_(ツ)_/¯.

I use locked down apple devices and wireguard to a remote server to do work, so all my actually sensitive data resides on the remote server that is reasonably hardened, and I believe I would hear if iPadOS was compromised to an extent that I need to worry about it farily quickly, I hope so at least.

I don't know, really. I have a ton of "personal machines" when it gets right down to it, but I'll think client wise.

I distro hop chronically on most of my machines. Sometimes multiple OS reinstalls across machines per week. Some installs have lasted a few months but it's rare.

I try to stick to official repos when I do reinstall, so I'm outsourcing that trust to the distro maintainers.

If it's on the disk, it's gone except for a few important files I keep in a self-hosted Nextcloud sync folder.

I use LUKS encryption to ensure leaving the laptop on the bus is a non-event. If it was ever in somebody's possession for very long (border, police, lost and found) I'd just put it in the garage and never touch it again.

Firmware malware is pretty uncommon, still, so I'm just hoping for the best there.

Run Windows 95 and Internet explorer, there's probably nobody targeting them these days :-)

put $10 in a crypto wallet and keep the seed phrase on your desktop

check that it's still there from time to time; any automated malware will slurp it up

Run Linux. Install only trusted software. Don’t do sketchy (from a security perspective) things like look at porn or use torrent sites on your main computer. Backup often. Reinstall OS annually. Don’t run Windows. Don’t worry too much. Be happy.

I keep a few £ in bitcoin stashed on it. If it ever disappears, I'll know.

I dont! In fact I assume it has been to some extent and that I would be unable to detect this.

Going from that assumption, I take care to keep encrypted backups of all of my important files both locally on another machine and remotely.

I also use two-factor authentication wherever possible, because I find it unlikely that the same attacker would gain access to both my PC and phone.

Additionally, I have a second phone with no SIM card that I use for some TOTP 2 factor accounts that I wish to remain especially secure.

Operating at the assumption that you have already been compromised allows you to prepare for the worst should you truly be.

I don’t. Not sure why I’d do that. I find the risk acceptably low that it is. But more importantly, I don’t have any reason to fear that it is.

So I trust that regular caution and OS security reduces the risk to an acceptable level but mostly I don’t fear anyone reading or destroying my data because I have backups and it’s not sensitive. Sure it would be scary from an integrity perspective, but not in any other sense. Even constant access to my machine and everything I do wouldn’t be a big risk.

So if I’m affected by a ransom Trojan (most likely scenario), I’m happy to just wipe my machine.

I can't tell if my hardware was not compromised (most likely it was not), but for the data I store on my SSD - I keep it fully encrypted with boot stored on hardware aes-256-encrypted USB drive. Laptop won't boot without the USB plugged in, and USB won't unlock unless correct key is provided. Not too sophisticated but enough for my humble needs (that is I'm the only one who can boot the laptop, and I know my data will be safely forgotten if my flat gets robbed or if I forget my laptop on the train etc.).

You can try to "snoop" on the virus. For example, collecting all the internet packets, see if some ports are opened that is not needed. Collect logs on which apps are eating up the battery. These steps are not perfect by any means, but you can catch some noisy virus with this. If your virus is very stealthy you can only hope your passwords show up in haveibeenpwned.

This is also why using an open source OS is so important. At least you can investigate why something is happening in the OS. Without the source you can only guess at what is happening.

Assuming that you have no other option but to use a computer, there's some good advice here[1] for securing a Linux system. Then you can run regular scans using security tools like the ones listed here[2].

[1]: https://wiki.archlinux.org/title/security

[2]: https://wiki.archlinux.org/title/List_of_applications/Securi...

Separation of concerns is a good idea. Don't run everything together, e.g. multiple boot Os, or nested OS (windows with several WSL setups for different work, test untrusted windows apps first in windows development VM etc.). If you have a server, run dedicated VMs and work on those via remote, these days you can even stream your games from your dedicated VM. In case a game is compromised, it will at maximum compromise other games on the VM, but not your important work on another VM.

On my and my families windows machines, I try to follow the advice from Taylor Swift who seems to know what she is doing... https://decentsecurity.com/#/securing-your-computer/

In short: 1) secure bootup by locking up BIOS and encrypting your drive 2) set User Access Controls to the highest level 3) install up to date browser with appropriate addons (ublock)

The same way I trust that my wife isn't fucking other men behind my back. You'll never know for sure but you just have to put your faith in them.

My TL;DR Summary With time I have moved further and further away from using the computer for important things and believe that tech has long since exceeded George Orwell's wildest fever dreams

I assume a freshly installed OS is compromised [1] and the hardware it is on is also compromised in the BIOS and firmware at very least by state actors but then I also assume those state actors have poorly vetted contractors that may also be compromised by other nations i.e. who pays the most gets access. I would not be surprised for a moment if they have competing backdoors that try to block one another. Since I can not control any of this I just imagine the national actors of the world are watching my screen and yawning. More likely the latest iteration of ECHELON AI is yawning. I instead focus on securing important externalities making bank accounts read-only from the web, not all banks will do this. I also diversify where my assets are stored and make a best effort to require physical access.

Beyond that layer I do all the usual hardening practices but that only goes so far as every browser likely also has intentional weaknesses in them. Even FireJail and SELinux/AppArmor will likely just happily relay malicious instructions. Addons may raise the bar keeping some script-kiddies off my machine but I never for a moment assume that it stops government contractors from relaying instructions to the backdoors in the hardware and/or OS and ultimately to the hidden CPU instructions that likely take multiple layers of obfuscated instructions to tickle meaning SandSifter will never find them.

The above is for PC's. For cell phones I assume FAANG are interactively on my phone and since most of them were initially funded by the government. I do not use it for anything sensitive. I also assume that all cell phones have backdoors added by their manufacturer. Each one does seem to dial home to different places and make unique DNS requests. Putting phones into developer/debug mode does seem to quiet them down which is the opposite than I would have expected so maybe they know someone may be watching. i.e. malware knows it's in a sandbox

Wi-Fi Access Points are a story in and of themselves.

Why should I care about state actors? That one's easy. The best contractors will have leaks in their OpsSec and for-profit companies will acquire the weaknesses and use them to do illegal and unethical things to citizens for a price and political, economic and a myriad of other motivations. I would not be surprised if some government actors sell off access and end up working for said companies.

[1] - https://news.ycombinator.com/item?id=34388990 [and hundreds of other threads]

For my part, after considering this very question in the past, the answer is that the question is wrong.

The question is: is there some reason to trust, and the answer is: no.

In my opinion, any and all general computing devices sold to the mass consumer market are already compromised in some shape or form as they roll out from the factories -- otherwise such things would simply not be sold in large quantities.

"How do you trust that your personal machine is not compromised?"

You don't. They are all likely "compromised" to some extent. The vast majority likely have asymptomatic/latent state-sponsored vulnerabilities, if not on the machine itself, then in the network infrastructure it uses. For the most part, people might not consider them "malicious third parties".

I always assume my personal machine is compromised.

As with anything, there needs to be some evidence to believe something, and if there’s evidence, you can follow that to figure out if it’s real or just anomalous.

Generally, it’s a bad idea to believe things without evidence, so I guess you can trust your computer isn’t compromised the same way you can trust no unicorns exist; there’s not any credible evidence to suggest it.

Read the following short story… Disclaimer: I’m not responsible for any paranoia, computer fear or conspiracy thoughts that might arise after reading it: https://www.teamten.com/lawrence/writings/coding-machines/

A still-relevant classic: Reflections on trusting trust, Ken Thompson, 1984 https://www.cs.cmu.edu/~rdriley/487/papers/Thompson_1984_Ref...

I run the latest betas of macOS and iOS which means I get exploit breaking changes as soon as possible. I keep all the security mitigations on my mac enabled (SIP, secure boot, etc.) which helps makes a variety of exploit flows and persistent compromise difficult.

But random malicious code in user space? Well, I really just hope for the best :)

BIOS/Firmware: I just do, if I am compromised then I won't find out anyway.

OS/app level: occasional AV scans, though I don't trust clamav as much as I trust Windows antivirus.

I should really properly set up secure boot on my desktop to make rootkits harder to install, but Linux and secure boot are just too much of a kludge.

Eveybody in this thread talks about good security practices and prevention tips, while the question of OP is basically:

"how can you confirm that your machine is not compromised" => "how can you check if your machine is already compromised?"

You could use something booted from a read only medium like knoppix (if your computer has a cd reader!). At the BIOS level all bets are off though.

https://www.knopper.net/knoppix/index-en.html

Hmm, actually, my aging Mac always asks me to install something whenever I connect my newer iPhone - I don’t like that at all, it’s not at all what I’d expect from an apple device, but I always am coming to realise that apple devices really aren’t what they used to be - quite sad

By default I think I am, thus I minimize the amount of sensitive info I put into any device.

There are two levels here: compromised by some national agency vs. compromised by anyone else.

For the former, I don’t assume anything especially since I’m not an American citizen. I still believe with some certainty that my iPhone is safe from the government but not 100%

I don't. I am real picky with downloading software for my personal machine and I sometimes explore with process explorer and I run sketchy stuff in a sandbox but I don't trust that my personal machine is not compromised.

I used this a while back when I was worried something weird was going on: https://github.com/mvt-project/mvt. (Nothing was going on).

knocks on wood

Until the day we get sandboxing, well-defined interfacing with user data and stuff in desktop computing...

Imagine the desktop's security model, if you can call it that, on mobile. It would be madness.

I use 2fa where i can and accept the fact that if im not already compromised, i could be at any moment.

Thats also why 2fa is the first thing i configure after setting up a kubernetes cluster too.

I never trust a computer to not be compromised, if there’s any information so critical that it must be secured at all costs then I simply never let it near a digital device.

You simply cannot. Unless you want to go Richard Stallman path, and work on a laptop from 2008, with only open source software, unable to use Netflix, banking site, etc.

I view the traffic being sent from my devices, there is plenty of good tools for that.

If I see any anomalies, then that's a hint.

Note, you should not fully rely on this but rather as a starting point.

I don't.

That is... I don't trust my machine.

I take reasonable precautions, but at a certain point you have to just live your life and deal with people who violate your boundaries in meatspace.

I try to follow what others already mentioned, but still, for any personal high-security stuff I use a device whose OS puts strong limits on apps, like an iPad.

Law of averages. If I am hacked, then likely millions of other people are hacked, and I haven't heard about millions of people being hacked. QED.

In the words of Robert Morris, 40 years ago:

"The three golden rules to ensure computer security are: do not own a computer; do not power it on; and do not use it."

Store a $300 eth wallet private key on the machine in plain text. Have some other service notify you if that wallet address ever makes a transaction.

I use adblock to prevent (malicious) ads from running. Browser malicious downloads warnings are enabled. Configured to show a full screen warning if http is used instead of https. Opening links from email requires manually copy pasting, forcing an extra look at links.

Generally I don't install random software outside the official repos or AUR, but I do blindly trust those repos to not be compromised.

That being said, I don't think I could 100% trust a modern computing device to not be compromised, but since that isn't possible I also don't see it as actionable information.

Keep your essential files synced with an online service and regularly format and wipe your machine at least once a year. This is what I do.

Security is like:

https://www.youtube.com/watch?v=PFAbTLWiK20

I’ve been fairly comfortable since I moved to Mac’s - maybe I shouldn’t be so comfortable but I do mind what I click and open

Short of building your own and coding your own you never fully can. Very much a best effort cost/benefit thing

You don't. Welcome to industry!

"There is no way to really know if a computer is compromised" - Joanna Rutkowska

Don't think I can find a practical way to be 100% sure of that. I'm happy to be at 95% though.

Waiting for HackGPT to become a thing, so I can use it as a pentester.

Any ways in which AI can already help?

I trust that it is compromised since I don't have a chip fab in the back yard.

That’s the neat thing: I don’t!

I am a distrohopper and don't use phone for calling and some messaging apps.

Compromised by whom? We've all heard of IME and PRISM I assume...

Windows 10, Firefox, ublock origin and Windows Defender

Dont install weird exe or MSIs

Thats kinda it.

A combination of good practices and a lot of rationalization!

i used to care great deal about this, but recently i gave up

why do you even care? most of your files are either on apple's computers or google's computers

I’m kind of hoping Malwarebytes is good at it’s job.

third parties is a broad term. Especially when the list of potential 2nd parties includes most of those 3rd parties.

I monitor all outgoing traffic.

TLDR; you don't.

Best advice I have, for what it's worth is to wipe and reformat from a known clean image regularly. If you haven't been hacked yet, stands to reason you wont be hacked going forward.

That said, I often install packages I don't fully vet, and grant permissions I probably shouldn't, either in the name of curiosity (how else do we learn and experiment), or necessity.

Try not to use apps written in unsafe languages like C and C++, etc.

My personal machine?

I use Linux with lots of distributed sync and backups with e.g. Syncthing (plus copies of stuff NOT on sync thing)

Now, I'm aware many reading this are going to nerd out hard (like how the top comment now is "Android/Chromium" which I'm skeptical of but haven't done much homework on? Maybe?)

But because you said "personal machine"-- I'm thinking about my own threat model and my years of experience.

Thus, not going to much worry about, say, some obscure Linux-Stuxnet-thing, which not only is overwhelmingly unlikely, but also something I can't much do anything about beyond the solutions I mentioned above.

More likely, I can avoid stupid Windows and stupid Mac,and often stupid Web mess by what I'm doing now.